[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: nautilus-clamscan

Clement Lorteau wrote:

Your GPG  key is not  signed by anyone.  You should try to  meet someone
that can sign  it, preferably a DD  or someone whose key is  signed by a
DD. Look at this page:

If you live in Paris or near Paris, I can sign your key.
I do live near Paris. I'll contact you in private. However, is the key signing needed for uploading the package? I had 2 versions of another package uploaded without having to have my key signed.

If I were intimately familiar with a package and had looked at EVERYTHING, I would be comfortable uploading a package signed with an unverified key. But that is a lot of work (and I am basically
asking everyone to hold me accountable for any problems ;-).

It is much more likely that I would not duplicate someone else's effort. When I decide to accept what someone else has done, then it become much more important to be able to identify that person. At the point where I might want to say I got code from someone else, the signed key becomes critical. I could upload a package that was sent with an unverified key, but that would speak volumes about my judgement. When I sign a package (or another key for that matter), a person can rely on my judgement as input. I do not promote worthless input. It should be easy to understand why a person would hesitate to accept an unverified key since it could make their judgement worthless.


Reply to: